Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Security

Registrų centras breach: 600,000 records exposed

Ransomnews Research TeamBy Ransomnews Research TeamMay 27, 2026Updated:July 2, 2026No Comments10 Mins Read1,138 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Synthwave cover for the Registrų centras 2026 breach: 600,000 records exposed from two state registers, neon perspective grid, floating registry document and broken padlock
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Lithuania’s Centre of Registers (Registrų centras) disclosed a major data breach on 25 May 2026, with roughly 600,000 records from the Real Estate Register and the Register of Legal Entities accessed through the misuse of credentials belonging to authorised query institutions. The credentials were used from abroad, according to Lithuania’s General Prosecutor’s Office. Director Adrijus Jusas resigned the same day. A pre-trial investigation has been opened by the Criminal Police Bureau, and records relating to intelligence officers are reported to be among the affected data.

Updated 25 May 2026. Numbers in the charts below are live Alerts.bar credential-supply data, queried the day of the disclosure.

Key takeaways

  • Scale. About 600,000 records accessed from two of Lithuania’s foundational state registers.
  • Mechanism. Not a perimeter breach. Attackers reused valid credentials of third-party institutions that are authorised to query the registers.
  • Direct exposure. Alerts.bar’s stealer-log index shows 117 accounts tied to the breached agency’s own domain, including 3 live infected staff endpoints.
  • Ecosystem exposure. Across 18 sampled Lithuanian institutional domains, 60 live infected staff endpoints and 60,700 stolen session cookies are circulating in stealer-log marketplaces.
  • Attribution. No group named. Queries originated from abroad; Lithuania’s Criminal Police Bureau is leading the pre-trial investigation.
  • What MFA does not stop. Stolen browser session cookies replay an authenticated session without triggering an MFA challenge.
Registrų centras stealer-log exposure: 117 stealer accounts, 1326 cookies, 2442 credential hits, 91 breach sources
Live stealer-log exposure for the breached agency’s own domain, refreshed 27 May 2026. The same numbers update continuously on our Stealercheck tool. Source: Alerts.bar.

What happened at Registrų centras?

Registrų centras is the state-owned operator of Lithuania’s foundational registries, including the Real Estate Register and the Register of Legal Entities. On 25 May 2026, the agency confirmed that an unauthorised party accessed roughly 600,000 records by abusing the credentials of institutions legitimately permitted to query the registers. The agency said the queries originated from outside Lithuania. Director Adrijus Jusas resigned within hours of the disclosure, and the General Prosecutor’s Office opened a pre-trial investigation handled by the Criminal Police Bureau.

Lithuanian media reporting (LRT, Delfi) indicates that personal data linked to intelligence and security officers is among the affected records, which is the detail that escalated the incident from an administrative failure into a national-security matter. As of publication, the agency has not named the third-party institutions whose credentials were misused, and no group has publicly claimed responsibility.

How were the credentials obtained?

Lithuanian authorities have not published a technical post-mortem, but two routes account for almost all credential-reuse attacks against European public-sector portals: stealer-log credential reuse and initial access broker (IAB) sales. Both routes have been the dominant non-phishing entry vector across Europe through 2025 and 2026. The attacker does not need to breach the central system. They obtain valid credentials issued to a trusted third-party institution and replay them against the portal.

Attack chain in the Registrų centras breach: infostealer to credentials to IAB marketplace to authorised institution to state register query
The 5-step attack chain that turns a single infected staff endpoint into a state-registry query. Source: Ransomnews threat-model summary.

How big is the underlying credential supply chain?

Across 18 Lithuanian institutional domains we sampled in Alerts.bar’s stealer-log corpus, more than 42,900 raw user credentials and 60,700 stolen browser session cookies are sitting in the marketplaces that Lithuanian attackers and their resellers draw from. The categorisation below groups domains by sector, since the point is the systemic exposure of the ecosystem and not any individual organisation.

Lithuanian institutional credential supply chain across 18 sampled domains by sector
Aggregate stealer-log exposure across 18 sampled Lithuanian institutional domains, grouped by sector to anonymise individual organisations. Source: Alerts.bar.

Banking dominates the credential supply because retail-banking users far outnumber agency-portal users. The cookie count is what matters for portal access: a fresh session cookie replays the existing login without re-prompting the user for credentials or a multi-factor challenge.

How big is the staff-credential exposure?

The single most important number in this incident is not the 600,000 affected register records, it is the number of infected staff endpoints across the ecosystem. Stealer logs distinguish between user accounts (citizens logging into a service) and staff accounts (employees of the institution itself, identifiable by corporate email). Staff endpoints carry the privileged sessions that can issue large-volume register queries; user endpoints generally cannot.

Staff endpoint exposure: 3 live infected endpoints at the breached agency vs 60 across the wider Lithuanian institutional ecosystem
Three live infected staff endpoints at the breached agency, set against 60 live infected staff endpoints across the wider institutional ecosystem. Source: Alerts.bar.

Three live infected staff endpoints at the breached agency itself is a small number, but it is not zero, and it is enough. Once an attacker has working cookies or a credential for any one of those endpoints, the path to query the registers through legitimate channels is open until the cookie expires or the session is invalidated. The wider ecosystem of 60 live infected staff endpoints across the sampled domains means a buyer in the credential market has multiple authorised institutions to choose from at any given moment.


Why cookies, not passwords, are the real story

Modern infostealers exfiltrate browser session cookies alongside saved passwords. A live session cookie can be replayed against the target portal without re-authenticating, which means multi-factor authentication does not stop the access. We covered this in detail in our piece on session cookie theft as the dominant MFA bypass of 2026. The 1,326 cookies tied directly to the breached agency’s own domain are the active blast radius; the 60,700 cookies across the wider sampled ecosystem represent the supply of authorised-session impersonations an external buyer could draw from.

Who would target a state registry?

State registries are high-value targets for three distinct buyer categories. Financially motivated criminals use registry data to build convincing impersonation packages for loan fraud, real estate fraud, and tax fraud. Identity-theft brokers package register entries into bulk identity files sold on Russian-language forums. And foreign intelligence services use register data to map ownership of strategic assets, identify cover identities, and build dossiers on individual officials.

The Lithuanian prosecutor’s statement that records relating to intelligence and security personnel were touched in this incident sits squarely in the third category. Ransomnews is not in a position to attribute the operation, and Lithuanian authorities have not named a perpetrator publicly. We note only what investigators have said: the queries came from abroad, and the misuse exploited valid third-party credentials rather than a vulnerability in Registrų centras’ own systems.

How does the IAB market fit in?

Initial access brokers have professionalised the resale of stealer-log credentials. A broker harvests stealer logs at scale, indexes them by target domain, and sells access bundles to other criminals or state-aligned operators. Listings for Baltic banks, Lithuanian government portals, and Nordic financial systems appear regularly on the major Russian-language access markets. The price point for credentials to a state-registry portal sits in the low four figures in USD when working session cookies are included, and considerably lower when only passwords are on offer.

That economics matters because it makes this kind of attack cheap to attempt repeatedly. A buyer does not need to develop a zero-day or run a phishing campaign. They buy the cookie, replay the session, and conduct queries through the legitimate portal until the authorised institution notices the anomaly or the cookie expires.

What should affected parties do?

If you are an institution that holds Registrų centras query credentials, the immediate steps are concrete and cheap. Rotate all service-account passwords and force re-authentication on every administrative session. Pull endpoint detection logs for the last 90 days and search for known infostealer family indicators (Lumma, StealC, Vidar, Redline, Raccoon). Invalidate any active sessions to the portal and require fresh logins with hardware-bound second factors where available. Audit which devices, including personal ones, have stored credentials for state-system access.

If you are a Lithuanian citizen whose register entry may have been touched, the realistic exposure is identity-theft and targeted phishing. Treat unsolicited messages claiming to come from notaries, banks, or government agencies with elevated skepticism for the next 12 months. Monitor your credit and any registered businesses for unauthorised changes.

Organisations that want to check their own stealer-log exposure can run their domain through our free stealer-log checker, which queries the Alerts.bar index. Endpoint protection that catches infostealers before they exfiltrate is covered in our business ransomware protection picks. Specialist dark-web monitoring services subscribe to continuous feeds of newly harvested logs and alert when your domain appears.

What this means for public-sector defenders

The Registrų centras incident is a clean example of a pattern that is now routine across European public-sector infrastructure. The attacker does not breach the central system; they breach a partner. The central system trusts the partner’s credentials by design, so the abuse looks like normal traffic until anomaly detection or a third-party tip flags it. Defending against this requires two changes that most agencies have not yet made: continuous credential-leak monitoring at the partner level, and behavioural anomaly detection on the central portal that compares query patterns against the partner’s historical baseline.

For the next 30 days, expect copy-cat attempts against other Baltic and Nordic state registers. The Lithuanian incident gives criminal and state-aligned actors a tested playbook, and the underlying market for stealer-log credentials does not run out.


Frequently asked questions

How many records were exposed in the Registrų centras breach?

Approximately 600,000 records from the Real Estate Register and the Register of Legal Entities, according to public statements from Lithuanian authorities on 25 May 2026.

Who is responsible for the Registrų centras data leak?

No group has been named publicly. The General Prosecutor’s Office said queries were made from abroad using the credentials of authorised institutions, and the Criminal Police Bureau is leading the pre-trial investigation. No formal attribution has been issued.

Was Registrų centras itself hacked?

Not in the conventional sense. The agency’s own perimeter does not appear to have been breached. The attacker used the valid credentials of third-party institutions that are authorised to query the registers, then ran queries that the central system saw as legitimate.

Were intelligence officers’ personal data affected?

Lithuanian media reports indicate that a subset of the accessed records relates to intelligence and security personnel. This is the detail that elevated the incident from an administrative failure to a national-security matter.

Why did the director resign?

Adrijus Jusas resigned on the day of disclosure. The agency did not publish a detailed rationale, but resignation on the day of a high-impact public disclosure usually reflects either accountability or political pressure. Either way, leadership transition is now under way at the Centre.

How can institutions check if their credentials are circulating in stealer logs?

Run your domain through a stealer-log lookup service such as the free Ransomnews stealer-log checker or the underlying Alerts.bar dataset. Specialist dark-web monitoring services subscribe to continuous feeds of newly harvested logs and alert when your domain appears.

Does multi-factor authentication protect against this kind of attack?

Not on its own. Infostealers exfiltrate browser session cookies, which let an attacker replay an authenticated session without re-entering credentials and without triggering an MFA challenge. Hardware-bound second factors (FIDO2 / WebAuthn) and short session lifetimes are the practical defences.

Related Ransomnews coverage

  • Stealercheck, free domain-level exposure check against the stealer-log economy.
  • Ransomtracker, live index of active ransomware operations and their published victims.
  • Initial access brokers 2026, the upstream market for credentials operators reuse.
  • Session cookie theft and MFA bypass 2026, why cookies, not passwords, are the practical risk.
  • Best ransomware protection for business 2026, endpoint and platform-level defences ranked.
  • Best dark-web monitoring services, continuous alerts when your credentials surface.

Keywords: Registrų centras breach, Registru centras data leak 2026, Lithuania state register hack, Real Estate Register breach Lithuania, Register of Legal Entities leak, authorised institution credential abuse, stealer log credential reuse Baltic, initial access broker Lithuania, session cookie MFA bypass 2026, Lithuanian public sector stealer log exposure, Alerts.bar stealer log index, national security records breach, Adrijus Jusas resignation.

This report draws on official Lithuanian statements, public reporting, and primary stealer-log data from Alerts.bar. Numbers in the charts above are aggregate counts across 18 sampled Lithuanian institutional domains, grouped by sector. Individual organisations are not named in keeping with our editorial policy on credential-exposure reporting. Ransomnews will update the article as additional confirmed facts emerge.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous Article62% of database ransom wallets were never paid
Next Article Ransomware runs office hours: what 16,699 leak posts reveal
Ransomnews Research Team

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

macOS.Gaslight: malware that prompt-injects your SOC

July 16, 2026

The Gentlemen weaponised a Kontron driver to kill EDR

July 10, 2026

FortiBleed: 75,000 cracked Fortinet firewalls, no zero-day needed

June 18, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.